[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jun 28 18:04:05 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
Martin Renvoize <martin.renvoize at ptfs-europe.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #128691|0 |1
is obsolete| |
--- Comment #52 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Created attachment 136687
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=136687&action=edit
Bug 29523: Make Koha::Object->to_api respect accessibility
This patch makes the *to_api* method honour the accessibility check for
the object. This is relevant in the context of embedding single objects.
The Koha::Patron->to_api method is adjusted to reflect this behavior as
well (it does some manipulation after the ->to_api call and we need to
prevent it).
To test:
1. Apply up to the regression tests
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/Object.t
=> FAIL: A patron, that shouldn't be accessed, is returned by ->to_api
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
6. Pick Henry Acevedo from the sample data, assign him 'catalogue'
permissions and a know user/password combination
7. Enable basic authentication
8. Point your favourite tool (Postman?) to
GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts
Set the following header: x-koha-embed: patron
Pick whatever biblio you want, actually.
=> SUCCESS: No checkouts
9. Perform a couple checkouts on the chosen biblio. Make sure one
checkout is for a patron on the same library as Henry, and the other
on a different one.
10. Repeat 8
=> SUCCESS: You see two checkouts. One of them has an attribute 'patron'
containing the patron from Henry's library. The other, has the
attribute set to 'null'.
11. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
Signed-off-by: David Nind <david at davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list